Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (18)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.process.commandline Command line used to start the process. | sysmon.CommandLine | string |
gen.vendor Vendor name of the product generating the log. | sysmon.Company | strings |
gen.hostname Normalized hostname of the system generating the log. | sysmon.Computer | text_general |
gen.dest.ip Destination IP address. | sysmon.DestinationIp | text_general |
gen.dest.port Destination port number. | sysmon.DestinationPort | pint |
gen.process.process Name of the process. | sysmon.Image | string |
gen.process.privileges Privileges under which the process is running. | sysmon.IntegrityLevel | strings |
gen.file.name File name associated with the event. | sysmon.OriginalFileName sysmon.TargetFilename | strings |
gen.file.path Full file path associated with the event. | sysmon.OriginalFileName sysmon.TargetFilename | strings |
gen.process.parent.commandline Command line of the parent process. | sysmon.ParentCommandLine | string |
gen.process.parent.process Name of the parent process. | sysmon.ParentImage | string |
gen.process.parent.pid Process ID of the parent process. | sysmon.ParentProcessId | pint |
gen.process.pid Process ID of the running process. | sysmon.ProcessId | pint |
gen.product Product name or component generating the log. | sysmon.Product | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | sysmon.Protocol | strings |
gen.src.ip Source IP address. | sysmon.SourceIp | text_general |
gen.src.port Source port number. | sysmon.SourcePort | pint |
gen.username Username associated with the event. | sysmon.User | text_general |
Reference-Specific Fields (90)
| Field | Type |
|---|---|
sysmon.Provider.Name Provider of the Event, indicating the used Operating System | string |
sysmon.Archived Indicates whether the event came from an archived log file. | text_general |
sysmon.CallTrace Captured call stack or trace information at the time of the event. | text_general |
sysmon.ClientInfo Additional client context or metadata included with the event. | text_general |
sysmon.CommandLine Full command-line string used to launch the process (for Process Create events). | text_general |
sysmon.Company Company name embedded in the executable's metadata, if present. | text_general |
sysmon.Computer Hostname of the machine on which the event was recorded. | text_general |
sysmon.Configuration Current Sysmon configuration XML text, as loaded when the service started. | text_general |
sysmon.ConfigurationFileHash Hash value of the loaded configuration file for integrity verification. | text_general |
sysmon.Consumer Identifier of the consumer (e.g., Windows Event Log) that received the event. | text_general |
sysmon.Contents Raw contents or payload associated with the event record. | text_general |
sysmon.CreationUtcTime UTC timestamp when the event was created by the Sysmon service. | text_general |
sysmon.CurrentDirectory Current working directory of the process at the time of the event. | text_general |
sysmon.Description Textual description or message associated with the event. | text_general |
sysmon.Destination Destination path or resource targeted by the event (e.g., file path, registry key). | text_general |
sysmon.DestinationHostname Resolved hostname of a remote endpoint (for network events). | text_general |
sysmon.DestinationIp IP address of the remote endpoint involved in the event. | text_general |
sysmon.DestinationIsIpv6 Boolean flag indicating if the destination IP is IPv6. | boolean |
sysmon.DestinationPort TCP/UDP port number used by the destination (for network events). | pint |
sysmon.DestinationPortName Resolved service name for the destination port (e.g., http, dns). | text_general |
sysmon.Details Additional detailed information provided by the event source. | text_general |
sysmon.Device Device identifier or name associated with the event (e.g., storage device). | text_general |
sysmon.EventID Numeric identifier of the Sysmon event type (e.g., 1 = Process Create, 3 = Network Connection). | pint |
sysmon.EventName Human-readable name corresponding to the EventID (e.g., ProcessCreate, FileCreate). | text_general |
sysmon.EventNamespace Namespace or category grouping for the event type. | text_general |
sysmon.EventType Sub-type or classification of the main EventID. | text_general |
sysmon.FileVersion Version string from the executable file's metadata, if available. | text_general |
sysmon.Filter Name or identifier of any filter applied to include or exclude this event. | text_general |
sysmon.GrantedAccess Access rights granted in the event (e.g., ReadData, WriteData). | string |
sysmon.Hash Cryptographic hash of a single file or object. | text_general |
sysmon.Hashes List of cryptographic hashes (MD5, SHA1, SHA256) for the file or object. | text_general |
sysmon.ID Internal unique identifier assigned by Sysmon to each record. | text_general |
sysmon.Image Full path to the executable image involved in the event. | text_general |
sysmon.ImageLoaded Path of a module or driver image loaded into a process. | text_general |
sysmon.Initiated Boolean flag indicating if the action was initiated locally or remotely. | boolean |
sysmon.IntegrityLevel Integrity level of the process (e.g., High, Medium, Low). | text_general |
sysmon.IsExecutable Boolean indicating whether the target object is an executable file. | boolean |
sysmon.LogonGuid GUID representing the logon session for the event's process. | string |
sysmon.LogonId Identifier for the user logon session (e.g., 0x1234abcd). | string |
sysmon.Name Generic name field, context varies by event type (e.g., registry key name). | text_general |
sysmon.NewName New name assigned in rename operations (e.g., file rename). | text_general |
sysmon.NewThreadId Thread ID assigned to a newly created thread in a process. | plong |
sysmon.Operation Specific operation or sub-action description, context depends on event type. | text_general |
sysmon.OriginalFileName Original file name before any rename or move action. | text_general |
sysmon.ParentCommandLine Command line string of the parent process, if applicable. | text_general |
sysmon.ParentImage Full path of the parent process executable image. | text_general |
sysmon.ParentProcessGuid GUID of the parent process that spawned the child process. | string |
sysmon.ParentProcessId Process ID of the parent process that created this event's process. | plong |
sysmon.ParentUser Username that ran the parent process. | text_general |
sysmon.PipeName Name of the named pipe involved in the event (for pipe events). | text_general |
sysmon.PreviousCreationUtcTime UTC timestamp of a prior creation time for a renamed or replaced object. | text_general |
sysmon.ProcessGuid GUID uniquely identifying the process instance. | string |
sysmon.ProcessId Process ID assigned by the operating system. | plong |
sysmon.Product Product name from the executable's metadata, if available. | text_general |
sysmon.Protocol Network protocol used (e.g., TCP, UDP) for network-related events. | text_general |
sysmon.Query WMI or registry query string used in query events. | text_general |
sysmon.QueryName Identifier or name given to a WMI or registry query. | text_general |
sysmon.QueryResults Results returned by a WMI or registry query. | text_general |
sysmon.QueryStatus Status code or message for a WMI or registry query execution. | text_general |
sysmon.RuleName Name of the Sysmon rule that matched or triggered the event. | text_general |
sysmon.SchemaVersion Version of the Sysmon event schema. | text_general |
sysmon.Session Session ID (e.g., logon session) associated with the event. | plong |
sysmon.Signature Digital signature information of the executable, if present. | text_general |
sysmon.SignatureStatus Verification status of the digital signature (e.g., Valid, Invalid). | text_general |
sysmon.Signed Boolean indicating whether the executable was signed. | text_general |
sysmon.SourceHostname Hostname of the source endpoint for network events. | text_general |
sysmon.SourceImage Path of the source image or module that initiated the action. | text_general |
sysmon.SourceIp IP address of the source endpoint involved in the event. | text_general |
sysmon.SourceIsIpv6 Boolean flag indicating if the source IP is IPv6. | boolean |
sysmon.SourcePort TCP/UDP port number used by the source (for network events). | pint |
sysmon.SourcePortName Resolved service name for the source port. | text_general |
sysmon.SourceProcessGuid GUID of the process that acted as the source in this event. | string |
sysmon.SourceProcessId Process ID of the source process that generated the event. | plong |
sysmon.SourceThreadId Thread ID within the source process that generated the event. | plong |
sysmon.SourceUser Username under which the source action was performed. | text_general |
sysmon.StartAddress Memory address where execution began (for image load events). | text_general |
sysmon.StartFunction Function name at the start address in a loaded module. | text_general |
sysmon.StartModule Module name at the start address in a loaded image. | text_general |
sysmon.State State or status of the object or operation at event time. | text_general |
sysmon.TargetFilename Filename of the target object in the event. | text_general |
sysmon.TargetImage Executable image name of the target process or module. | text_general |
sysmon.TargetObject Generic name or path of the target object (e.g., registry key, file). | text_general |
sysmon.TargetProcessGuid GUID of the process targeted by the action. | string |
sysmon.TargetProcessId Process ID of the target process in the event. | plong |
sysmon.TargetUser Username associated with the target process or object. | text_general |
sysmon.TerminalSessionId ID of the terminal session (e.g., RDP) where the event occurred. | string |
sysmon.Type Subtype designation of the event within its category. | text_general |
sysmon.User Username under which the event-generating process ran. | text_general |
sysmon.UtcTime UTC timestamp of the event as recorded by Sysmon. | text_general |
sysmon.Version Sysmon driver/service version that generated the event. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.